Re: Help: Tracking Down Errant SMTP Server.
- From: "Sanford Whiteman" <swhitemanlistens-software@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 10 Jul 2007 14:17:16 -0400
Hello's I'm living in spam Nightmare and need some help tracking
down an errant SMTP engine that is wreaking havoc on users email
accounts.
Arrant, too, I'd say. :)
From the looks of things a users email address is being used by an
errant smtp engine out there.
It'd be wishful thinking to assume it's just one "engine" -- likely a
load of zombies.
The SMTP engine is sending out massive amounts of emails and
specifying this users account as the "Return To Address".
Classic 'Joe Job'. There is nothing inherent in the SMTP protocol that
prohibits what we perceive as "impersonation" of an envelope sender.
Originally, JJs were largely malicious, deliberate DoS attacks against
specific senders. Later, spammers started using large ranges of sender
addresses to ensure they'd have a legit return address and thus pass
sender address verification (SAV) checks. Typically, JJs of the spam
type calm down after several days, as each address falls out of
rotation. However, JJs *designed* for spam can malfunction -- it is
both amusing and horrifying when the botnets malfunction, spewing
e-mail without variable substitution and such -- in which case they
would be as overwhelming as a deliberate attack. It would be hard to
tell one from the other unless the victim had very recently made some
enemies, such as by starting up an anti-spam business, or really any
kind of extreme personal or corporate antagonism where the other side
is tech-savvy.
The only way to attempt to proactively prevent JJs is to publish an
SPF policy for your domain. However, SPF failures are enforced by a
small enough fraction of remote servers that this will have little
practical effect. Still, publishing SPF may have an ethical (and
perhaps legal?) benefit in that it shows that you have made a
good-faith effort to highlight impersonation by listing the servers
you authorize to send mail from your domain... thus, all others are
contravening your published policy and you can't be as responsible for
them as you would be without the public record.
This is some form of DNS as the user's email account is now
un-usable.
DoS. :)
What is the best way to track down the sender (s) of these email
messages, and has anyone else experienced this problem?
Many millions have experienced this problem. As I said, it should
abate if it is not a deliberate targeting of this account. You can
inspect the headers of the NDRs to get an idea of how many different
IPs generated the original messages. If by some chance it is a very
small set of IPs, you can pursue it with the ISP and also with (I
understand) law enforcement, as there is case law establishing that a
crime has been committed. But chances are, you'll see a huge range of
spam zombie IPs with no responsible party.
--Sandy
.
- Follow-Ups:
- Re: Help: Tracking Down Errant SMTP Server.
- From: Bluehades
- Re: Help: Tracking Down Errant SMTP Server.
- Prev by Date: Re: No NDR for unknown user
- Next by Date: Re: Help: Tracking Down Errant SMTP Server.
- Previous by thread: Re: FREE NNTP SERVERS
- Next by thread: Re: Help: Tracking Down Errant SMTP Server.
- Index(es):
Relevant Pages
|
